Sensitive plans of MI6 ‘lost during renovation works’
The UK Secret Intelligence Service (the SIS) has terminated an agreement with its building contractor; Balfour Beatty, after the company reportedly lost sensitive floor plans of MI6’s London headquarters during refurbishment works.
The plans, which were prepared by Balfour Beatty, were kept in a secure room for the duration of the project. The loss of documents was discovered a few weeks ago with an unnamed source describing the whole building going into “lockdown”. All the sub-contracted Balfour Beatty workers were “kept in isolation” for investigations.
Although the documents did not hold a security classification such as “Secret” or “Top Secret”, they were considered highly sensitive due to the nature of their content such as the location of alarms, stairwells, electric cabling, desk positions and specific offices. The SIS could now be forced to change the layout of the site to avoid safety compromises. Coincidentally, this incident shortly followed the government’s announcement of plans to revamp the Official Secrets Act, which could see the introduction of stricter legislation on the dissemination of information deemed to pertain to national security.
As a result of the lapse in security in losing the documents, the SIS decided to terminate the multi-million-pound contract with the Balfour Beatty notwithstanding the works were not complete. Most types of construction contracts include termination clauses specifying the circumstances under which a contract may be terminated. Termination of a construction contract can be complex and following the right procedures is critical. This can include giving termination notice, providing notice periods and the ability to correct shortcomings. However, this kind of process is unlikely in the present circumstances.
We will keep you updated on the developments arising from this case, as well as any updates about amendments to the Official Secrets Act.
Our highly experienced and specialist lawyers can provide you a safe pair of hands when it comes to any issues or concerns relating to termination of a construction contract and/or breaches of data privacy. Please do get in touch.
A word from our data privacy expert, Lucas Atkin:
There is no confirmation as yet that the incident caused the loss or exposure of any personal data. If it did, the incident likely amounts to a “personal data breach” as defined in the GDPR. It is worth recapping the steps that MI6 and Balfour Beatty – and we if it were us in their shoes – should have taken / should be taking under data privacy law.
Broadly, we recommend the following approach as a starting point:
1. Preparation: assess and record how you use personal data. Enact data security measures which address any risks posed by your use of personal data, both technical (e.g. malware, backup procedures, password protection) and organisational e.g. (room access, password instructions, organisational policies explaining how to identify/react to personal data breaches). Ensure data sharing/processing agreements have appropriate terms that give you the most assistance and protection in case of personal data breaches.
2. Reaction: Confirm the breach and ascertain whether any information was exposed. If the information exposed contains personal data, it is likely a personal data breach. Identify whether any special category personal data or otherwise circumstantially sensitive data is involved. Enact measures to contain and remedy the breach.
3. Collaboration: If a breach concerns personal data you use with another organisation, or which another organises processes on your behalf, read the underlying data sharing/processing agreements
If appropriate, work together to contain and remedy the breach and your responses. Consider contractual terms allowing you to recover any losses, if relevant (remember, if you are a controller using a processor, under the GDPR you bear most responsibility for personal data breaches).
4. Notification: where you experience a personal data breach, you may need to notify:
(a) the ICO (the UK data protection regulator), no later than 72 hours from becoming aware of the breach, unless there is unlikely to be a risk of harm to the affected individuals, and potentially:
(b) the affected individuals, if the breach poses a high risk of harm to them.
Risk of harm, and its severity, depends on the circumstances. Consider, for example, whether special category personal data or other sensitive information is involved, whether a financial risk is posed to affected individuals, how quickly you resolved the situation and whether you lost control of any information.
5. Documenting and Learning: details of the incident, how it was identified and your reactions (including the decision to notify or not, with an explanation) should be recorded in a security log. This record should discuss lessons learned, and any changes/upgrades to organisational security measures which are made as a result.
Please speak to our data privacy specialist, Lucas Atkin, if you have any questions about personal data breaches or data security in general, or if you think you have suffered a personal data breachBack to Our Thinking →